summaryrefslogtreecommitdiffstats
path: root/tests/test_backend.py
Commit message (Collapse)AuthorAgeFilesLines
* Merge "Create default role on demand"Jenkins2013-08-101-0/+12
|\
| * Create default role on demandAdam Young2013-08-061-0/+12
| | | | | | | | | | | | | | | | When adding a user to a project, if the default role is missing, create it. Bug 1176270 Change-Id: Id972ccf9c132c362a0b85049d248530dc2d56d54
* | Remove kwargs from manager calls where not needed.Morgan Fainberg2013-08-011-17/+15
|/ | | | | | | | | | | | | | | | | | | This patch removes the use of kwargs from manager calls where not required. Dogpile.cache (the targeted caching library) does not support kwargs out of the box with its cache-key-generator. This change allows us to support the default cache-key-generator; while it is possible to create a new cache-key-generator function, there are many possible edge-cases to deal with when making cache invalidation calls (ensuring the arguments are the same) as well as possible performance implications (depending on the depth of method introspection needed to determine how to invalidate the cache). As an added bonus, this change brings the code touched more in-line with the rest of keystone where most manager/driver calls do not use kwargs unless absolutley required. blueprint: caching-layer-for-driver-calls Change-Id: I035c976314fb48f657661f681f7c1760d3c547a6
* Remove an enumerate callLiang Bo2013-07-211-1/+1
| | | | | | | Refactor tests/test_backend.py, remove a useless enumerate call in for loop. Change-Id: I5d1914ae3490f715437711d594ec903a2c6632f5
* Implement role assignment inheritance (OS-INHERIT extension)Henry Nash2013-07-171-0/+190
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This extension allows for project roles to be optionally inherited from the owning domain. The v3 grant APIs are extended to take an inherited_to_projects flag. The GET role_assignments API will also include these roles in its response, either showing them as inherited roles assigned to the domain or, if the 'effective' query parameter is set, will interpret the inheritance and reflect those role assignments on the projects. The inherited_to_projects flag is encoded in the role list in the metadata of the relevant entries in the grant tables. The 'roles' key in the metadata is now a list of dicts, as opposed to a simple list, where each dict is either {'id': role_id} for a regular role, or {'id': role_id, 'inherited_to': 'projects'} for an inherited role Remember that a previous patch had rationalized the way metadata is handled so that its structure is entirely hidden within the driver layer. The extension can be enabled/disabled via a config setting. Limitations: - The extension is not yet discoverable via url, this will be added as a separate patch when the v3/extensions work is complete. A separate issue has been discovered with the fact that the v2 calls of 'get_projects_for_user()' and 'list_user_projects()' should be rationalized and also honor both group (and inherited) role assignments. This is being raised as a separate bug. DocImpact Implements bp inherited-domain-roles Change-Id: I35b57ce0df668f12462e96b3467cef0239594e97
* Merge "Rationalize how we get roles after authentication in the controllers"Jenkins2013-07-101-61/+7
|\
| * Rationalize how we get roles after authentication in the controllersHenry Nash2013-07-101-61/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently there is a mixture of strategies in the v2 and v3 controllers for how to get the roles assigned for the scope of the requested authentication. This duplicates code, is hard to maintain and in at least once case (where your only roles on a project are due to a group membership) is not actually correct (for v2 tokens). This change does the following: - Standardizes on using the 'get_roles_for_user_and_project()', and its domain equivalent, for how roles are obtained to build a token. This was already the case for v3 tokens. The controllers no longer need to get metadata and extract the roles. - Removes the driver level function to 'authorize_for_project' - this is now handled wihin the controller. The driver simply supports the user authentication. A nice (and planned for) sideffect of the above is that we now hide the schema of how we store roles within the driver layer - i.e. nothing outside of the driver (other than any specific-to-implementation tests) have to know about how roles are stored in the metadata. This paves the way for a re-implementation of the grant tables in IceHouse. This change also fills in missing function definitons in the assignment driver. Implements bp authenticate-role-rationalization Change-Id: I75fc7f5f728649d40ab1c696b33bbcd88ea6edee
* | Merge "Remove a useless arg in range()"Jenkins2013-07-101-3/+3
|\ \ | |/ |/|
| * Remove a useless arg in range()Du Yujie2013-07-051-3/+3
| | | | | | | | | | | | | | Modify tests/test_backend.py, remove the useless arg ("start index" = 0) since its default value is 0. Change-Id: Ia88c538a6dfe751e94fdb7f465ab87ce72cfa108
* | Merge "Fix issue with v3 tokens and group membership roles"Jenkins2013-07-081-1/+100
|\ \
| * | Fix issue with v3 tokens and group membership rolesHenry Nash2013-07-061-1/+100
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The driver calls used by v3 token controllers to obtain roles for a user on both project and domain were incorrectly implemented, leading to roles being missed out of the token. v2 tokens are not affected, since they don't use the same driver calls. This fixes these functions and adds additonal tests to cover the cases (all of which would fail without this patch). As part of this fix, the implementation of "get_roles_for_user_and_project() is pulled up into the driver class (like the domain equivalent is already), since, for all implementations, it is independant of backend technology. Fixes bug 1197874 Change-Id: I59b6882d93bdc8372be03fed0b390b002a6d0320
* | Merge "Remove an enumerate call"Jenkins2013-07-081-1/+1
|\ \
| * | Remove an enumerate callZhang Chun2013-07-051-1/+1
| |/ | | | | | | | | | | | | Refactor tests/test_backend.py, remove a useless enumerate call in for loop. Change-Id: I1268ce70d40994078343ec3120021c131e52713d
* / Implement GET /role_assignment API callHenry Nash2013-07-031-0/+66
|/ | | | | | | | | | | | | | | | | | | | | | | | Add support for the GET /role_assignment call as a first step to making role_assignment a first class entity. This patch also enables v3 collection filtering to match against attributes of entities being returned in the list, using the same dot notation (e.g. user.id) that we already support for policy file checking against filters. Limitations: - The current implementation uses the standard v3 collections wrapper mechanism for filtering. Given the potential numbers of role assignments in a large system, this may have performance and resource impacts. A future improvement would pass the filters into the driver layer to keep the internal assignment processing to a minimum. - The LDAP backend is not currently supported Implements bp get-role-assignments Change-Id: I6ff2ea780e39d7097a88214fbb3ddee1b924c30c
* Manager instead of direct driverAdam Young2013-06-281-145/+145
| | | | | | | | | Make calls via the manager as opposed to the drivers in order to support refactoring of common code Bug 1193420 Change-Id: I69117ea755ed7ef3f7d3732fee83cc758927d296
* Stop passing context to managers (bug 1194938)Dolph Mathews2013-06-281-182/+116
| | | | | | | We don't have a use case for passing the request context to the manager layer, so this patch removes a bunch of cruft. Change-Id: Ic6435782c4c9f32e38c7800172645cc1af23ea09
* Isolate eventlet code into environment.Jamie Lennox2013-06-181-1/+2
| | | | | | | | | | | | | | | | | | The environment module will be configured once, during code initialization. Subsequently all other possibly-evented modules will retrieve from environment and transparently obtain either the eventlet or standard library modules. If eventlet, httplib, subprocess or other environment dependant module is referenced outside of the environment module it should be considered a bug. The changes to tests are required to ensure that test is imported first to setup the environment. Hopefully these can all be replaced with an __init__.py in a post-nose keystone. Implements: blueprint extract-eventlet Change-Id: Icacd6f2ee0906ac5d303777c1f87a184f38283bf
* Merge "Move user fileds type check to identity.Manager"Jenkins2013-06-181-36/+59
|\
| * Move user fileds type check to identity.ManagerWu Wenxiang2013-06-161-36/+59
| | | | | | | | | | | | | | | | | | | | | | | | The fileds type's checking logic during creating and updating users apply to all driver calls. It should be centralized in the identity.Manager rather that continuing the trend of spreading them out between controllers, managers and drivers. This patch move the enable type checking logic to identity.Manager and modify the related test cases in test_backend.py. Change-Id: I37df56a61cd5ab332dcc9d74a7e99ee9041aa32e
* | Http 400 when project enabled is not a booleanWu Wenxiang2013-06-161-0/+30
|/ | | | | | | | | | | | | | | | | | | | | | Having enabled="true" in json data when updating tenant will produce 500 When updating a project, no type check was performed on the enabled attribute. Therefore, if enabled value in JSON/XML is not a boolean but a string, keystone responds with an incorrect Http 500 error code and the stacktrace. The change introduces a type validation of the enabled attribute at identity manager. If the type is not a boolean, keystone now returns an appropriate Http 400 error code with a message pointing a bad format for the attribute. Test cases have been added to file test_backend and test_content_types for testing the case when enabled attribute is a string or int when updating project. Fixes bug #1191384 Change-Id: I86dd7e71d4bac1e3fd6fcabaa1a2136a47722e5f
* Add checks to test if enabled is boolgalstrom212013-06-121-2/+15
| | | | | | fixes: bug #1167593 Change-Id: Ie18fa17f16383f31d8aa083e69fa501d80eb4553
* split authenticate callAdam Young2013-06-031-113/+152
| | | | | | | | | Necessary step for splitting out the projects also just a cleaner implementation Blueprint extract-projects-from-id Change-Id: I79f9cac4ace6894fba5784bf61c8ef5b4e81d28f
* Improve the performance of tokens deletion for usergengjh2013-05-301-2/+43
| | | | | | | | | | Provide new delete the tokens api 'delete_tokens' to support delete all the tokens for user in one session in the sql backend. For the kvs and memcache, I also provide the corresponding implementation. Fix bug 1178063 Change-Id: I986a583e5900ea04e26cbdb7c49638a33818bca7
* Merge "Move auth_token middleware from admin user to an RBAC policy"Jenkins2013-05-301-1/+1
|\
| * Move auth_token middleware from admin user to an RBAC policyJoe Gordon2013-05-161-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Before this patch auth_token middleware required admin user credentials stored in assorted config files. With this patch only non-admin user credentials are needed. The revocation_list and validate_token commands use an policy.json rule, to only allow these commands if you are in have the service role. Rule used: "service_role": [["role:service"]], "service_or_admin": [["rule:admin_required"], ["rule:service_role"]], Added the policy wrapper on the validate functions. Fixes bug 1153789 Change-Id: I43986e26b16aa5213ad2536a0d07d942bf3dbbbb
* | Replace assertDictContainsSubset with stdlib verYuriy Taraday2013-05-271-7/+7
| | | | | | | | | | | | | | Code copied and adopted from unittest.TestCase class from CPython 2.7 stdlib. Change-Id: Ifae16f947600f7a9d1f8d1a879fd914d0cf4d65e
* | Cleanup docstrings (flake8 H401, H402, H403, H404)Dolph Mathews2013-05-241-2/+2
| | | | | | | | | | | | | | | | | | - docstring should not start with a space (flake8 H401) - one line docstring needs punctuation (flake8 H402) - multi line docstring end on new line (flake8 H403) - multi line docstring should start with a summary (flake8 H404) Change-Id: I69b414395930bda739aa01b785ac619fa8bb7d9b
* | Remove unused variables (flake8 F841)Dolph Mathews2013-05-231-6/+6
| | | | | | | | Change-Id: I716a6b61c2b3faaa23cc79f58c6c6e01cfc232f2
* | Merge "Read-only default domain for LDAP (bug 1168726)"Jenkins2013-05-211-27/+26
|\ \
| * | Read-only default domain for LDAP (bug 1168726)Dolph Mathews2013-05-211-27/+26
| | | | | | | | | | | | | | | | | | | | | A proper fix to the above was also blocked by bug 1117356, so that's fixed here as well (updates properly return the resulting entities). Change-Id: I672b90e67545cc1fe65b05ef7f8af5b42ca6afc3
* | | Implement Token Flush via keystone-manage.Jamie Lennox2013-05-211-0/+26
|/ / | | | | | | | | | | | | | | Creates a cli entry 'token_flush' which removes all expired tokens. Fixes: bug 1032633 Implements: blueprint keystone-manage-token-flush Change-Id: I47eab99b577ff9e9ee74fee08e18fd07c4af5aad
* | Merge "Http 400 when user enabled is not a boolean"Jenkins2013-05-171-0/+47
|\ \
| * | Http 400 when user enabled is not a booleanBruno Semperlotti2013-05-161-0/+47
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When creating or updating a user, no type check was performed on the enabled attribute. Therefore, if enabled value in JSON/XML is not a boolean buta string or an int, keystone responds with an incorrect Http 500 error code and the stacktrace. The change introduces a type validation of the enabled attribute at backend and api layer. If the type is not a boolean, keystone now returns an appropriate Http 400 error code with a message pointing a bad format for the attribute. Test cases have been added to file test_backend and test_content_types for testing the case when enabled attribute is a string or int when creating or updating user. The same correction can be done for create/update projects, domains. Change-Id: I7d2fe3acf0c4dbd3ce5bdf9f4d059df085853b84 Fixes: bug #1110435
* | | Merge "Test listing of tokens with a null tenant"Jenkins2013-05-161-1/+7
|\ \ \ | |/ / |/| |
| * | Test listing of tokens with a null tenantBernhard M. Wiedemann2013-04-231-2/+8
| | | | | | | | | | | | | | | | | | Test for fix of bug 1078497 Change-Id: I5cd28b38111f3e80adbb33ef1b1c8db7630d75f8
* | | Fix pyflakes and pep8 in prep for flake8.Monty Taylor2013-05-131-1/+1
| | | | | | | | | | | | Change-Id: Ifc8c876760f8402fc3293326972b9286fb1635c9
* | | Allow backend & client SQL tests on mysql and pg.Jamie Lennox2013-05-101-18/+42
| |/ |/| | | | | | | | | | | | | | | | | | | | | | | | | Currently the tables are not created which means that it isn't possible for these tests to run on anything other than sqlite. Fix test issues where the token id that is used to create the token is not the same as the id that the token is saved with. Fix a number of foreign key constraints issues. Bug 1178041 Change-Id: Ib67eb97836e4224940abdeae4bba66748bfe4ca5
* | Merge "fix undefined variable"Jenkins2013-04-231-0/+6
|\ \ | |/ |/|
| * fix undefined variableBrant Knudson2013-04-081-0/+6
| | | | | | | | | | | | | | An undefined variable was used in the trust kvs backend, this fixes it. Change-Id: I9c25d85ab64afa2bf7639d3fd14a4d6839dacb64
* | Merge "test duplicate name"Jenkins2013-04-221-3/+3
|\ \
| * | test duplicate nameBrant Knudson2013-04-091-3/+3
| |/ | | | | | | | | | | | | | | | | | | the test_list_trust_by_trustee method in test_backend is duplicated. One of them should be test_list_trust_by_trustor. The original test_list_trust_by_trustee that wasn't run before had a couple of problems so fixed those, too. Change-Id: I14759c83c5d4b7387e5d760d8418b889c4522c21
* | Merge "Removed unused imports"Jenkins2013-04-171-1/+0
|\ \
| * | Removed unused importsDolph Mathews2013-04-161-1/+0
| | | | | | | | | | | | Change-Id: Ief6534ee25a83027979d92c9ce3a92e0ea28c07c
* | | Merge "Fixed unicode username user creation error"Jenkins2013-04-171-0/+9
|\ \ \ | |/ / |/| |
| * | Fixed unicode username user creation errorLiang Chen2013-04-131-0/+9
| |/ | | | | | | | | | | | | | | | | | | | | | | The code tries to construct a byte string object to test the length of the string field (The explicit construction of the string object is neccessary as sometime v can be other types, for example int). This will cause error if the string field (v) is a unicode object. Fixes bug #1166701 Change-Id: I73cee4da5c9f91ce135e7f81d88c979871f61767
* | Fix token ids for memcachedAdam Young2013-04-121-2/+8
| | | | | | | | | | | | Bug 1119641 Change-Id: Ia22764acc69a272b37364193d10c553a48679b9a
* | Merge "residual grants after delete action (bug1125637)"Jenkins2013-04-121-17/+16
|\ \ | |/ |/|
| * residual grants after delete action (bug1125637)Gordon Chung2013-03-041-17/+16
| | | | | | | | | | | | | | | | remove all applicable grants when role is deleted (sql/kvs solution only) Fixes: bug #1125637 Change-Id: I3a958c6d56739e37a95f6c713fab154827e9ceca
* | Validate domains unconditionally (bug 1130236)Dolph Mathews2013-03-191-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | Ensure that we validate the domain status of user/project for a user authenticating via the v2 API. This patch builds on the initial functional change done by Dolph, and fixes up the tests that broke sure to domain being required in any tests that setup data directly in the backends. Fixes Bug #1130236 Change-Id: I66dfd453fb95fa4fa3fde713b663386a2c2ecdf8
* | Fix live ldap testsAllan Feid2013-03-191-11/+11
| | | | | | | | | | | | | | | | | | | | Clean up clear_live_database so that all fixture data is removed. Make sure we use the configured trees for each ldap object in tests. Ensure all live tests pass or are skipped where appropriate. Fixes: bug #1154277 Change-Id: I2eb4efe78e2c9d2a18bce339765b3ab5d20ac8f5
generated by cgit (git 2.34.1) at 2024-06-23 07:32:01 +0000